groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Staff Impersonation backend + frontend wiring #75

Merged
ghost merged 5 commits from feat/impersonation-backend into main 2026-03-20 08:16:09 +00:00
Conversation 6 Commits 5 Files Changed 6
+974
ghost commented 2026-03-20 02:10:11 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

Implements the full Staff Impersonation Mode backend and wires the frontend to real API calls, replacing the frontend-only mock.

Closes #74 | Ref: #53 Section 7

Backend

  • DB schema: impersonation_sessions table (id, staffId, clientId, reason, status, startedAt, endedAt, expiresAt) and impersonation_audit_logs table (id, sessionId, action, pageVisited, metadata)
  • API routes (/api/impersonation/sessions):
    • POST / — start session (validates manager role, enforces one-active-per-staff)
    • GET /:id — get session details
    • POST /:id/extend — extend 30-min timeout
    • POST /:id/end — end session
    • POST /:id/log — log audit entry
    • GET /:id/audit-log — get audit trail
  • Security: manager-only access, server-side session expiration, single active session enforcement

Frontend

  • CustomerPortal wrapper: URL-param session init (?impersonate=<clientId>), auto page-visit logging
  • ImpersonationBanner: fixed red banner with live countdown, extend/end buttons, non-dismissable
  • AuditLogViewer: modal showing session audit trail
  • "View as Customer" button on Clients page detail view

Type-checks

  • @groombook/api typecheck: pass
  • @groombook/web typecheck: pass
  • @groombook/api tests: pass (8/8)
  • @groombook/web tests: pre-existing React.act failure (not related to this PR)

Test plan

  • Verify "View as Customer" button appears on client detail page
  • Start impersonation session as manager — confirm banner appears with countdown
  • Verify non-manager role gets 403 when attempting to start session
  • Extend session — confirm timer resets
  • End session — confirm banner disappears
  • Verify page visits are logged in audit trail
  • Verify only one active session per staff member (409 on second start)
  • Verify expired sessions auto-expire on next API call
  • Run pnpm db:generate and pnpm db:push to apply migration
## Summary Implements the full Staff Impersonation Mode backend and wires the frontend to real API calls, replacing the frontend-only mock. Closes #74 | Ref: #53 Section 7 ### Backend - **DB schema**: `impersonation_sessions` table (id, staffId, clientId, reason, status, startedAt, endedAt, expiresAt) and `impersonation_audit_logs` table (id, sessionId, action, pageVisited, metadata) - **API routes** (`/api/impersonation/sessions`): - `POST /` — start session (validates manager role, enforces one-active-per-staff) - `GET /:id` — get session details - `POST /:id/extend` — extend 30-min timeout - `POST /:id/end` — end session - `POST /:id/log` — log audit entry - `GET /:id/audit-log` — get audit trail - **Security**: manager-only access, server-side session expiration, single active session enforcement ### Frontend - **CustomerPortal** wrapper: URL-param session init (`?impersonate=<clientId>`), auto page-visit logging - **ImpersonationBanner**: fixed red banner with live countdown, extend/end buttons, non-dismissable - **AuditLogViewer**: modal showing session audit trail - **"View as Customer" button** on Clients page detail view ### Type-checks - `@groombook/api` typecheck: pass - `@groombook/web` typecheck: pass - `@groombook/api` tests: pass (8/8) - `@groombook/web` tests: pre-existing React.act failure (not related to this PR) ## Test plan - [ ] Verify "View as Customer" button appears on client detail page - [ ] Start impersonation session as manager — confirm banner appears with countdown - [ ] Verify non-manager role gets 403 when attempting to start session - [ ] Extend session — confirm timer resets - [ ] End session — confirm banner disappears - [ ] Verify page visits are logged in audit trail - [ ] Verify only one active session per staff member (409 on second start) - [ ] Verify expired sessions auto-expire on next API call - [ ] Run `pnpm db:generate` and `pnpm db:push` to apply migration
ghost commented 2026-03-20 02:17:20 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Merge Conflicts Resolved

Resolved all 8 conflicting files by keeping both sides:

Kept from this branch (backend):

  • impersonation_sessions and impersonation_audit_logs DB schema
  • Impersonation API routes (/api/impersonation/sessions)
  • ImpersonationSession and ImpersonationAuditLog types

Kept from main:

  • Settings page + business settings schema/types
  • Branding provider + /api/branding endpoint
  • Dev login selector + session indicator
  • Full customer portal UI (sidebar, sections, mock impersonation)

Follow-up needed: The customer portal's mock impersonation (reducer-based) still needs to be wired to the real backend API endpoints added in this PR. Will create a follow-up task for that.

## Merge Conflicts Resolved Resolved all 8 conflicting files by keeping both sides: **Kept from this branch (backend):** - `impersonation_sessions` and `impersonation_audit_logs` DB schema - Impersonation API routes (`/api/impersonation/sessions`) - `ImpersonationSession` and `ImpersonationAuditLog` types **Kept from main:** - Settings page + business settings schema/types - Branding provider + `/api/branding` endpoint - Dev login selector + session indicator - Full customer portal UI (sidebar, sections, mock impersonation) **Follow-up needed:** The customer portal's mock impersonation (reducer-based) still needs to be wired to the real backend API endpoints added in this PR. Will create a follow-up task for that.
Chris Farhood reviewed 2026-03-20 02:18:23 +00:00
Chris Farhood left a comment

CTO Architecture Review

Backend impersonation implementation looks solid:

  • Manager-only OIDC auth check
  • One active session per staff enforcement
  • Server-side session expiration with auto-expire on next API call
  • Zod validation on all inputs
  • Comprehensive audit logging (start, extend, end, page visits)
  • Proper FK constraints with restrict/cascade

DB schema is clean — impersonation_sessions and impersonation_audit_logs tables follow existing patterns.

Note: After merge conflict resolution, the customer portal frontend still uses mock impersonation (reducer-based). The backend API is in place — a follow-up task will wire the portal's frontend to these real endpoints.

Architecture: approved. QA review needed from @lint-roller before merge.

**CTO Architecture Review** Backend impersonation implementation looks solid: - Manager-only OIDC auth check - One active session per staff enforcement - Server-side session expiration with auto-expire on next API call - Zod validation on all inputs - Comprehensive audit logging (start, extend, end, page visits) - Proper FK constraints with restrict/cascade DB schema is clean — `impersonation_sessions` and `impersonation_audit_logs` tables follow existing patterns. **Note:** After merge conflict resolution, the customer portal frontend still uses mock impersonation (reducer-based). The backend API is in place — a follow-up task will wire the portal's frontend to these real endpoints. Architecture: approved. QA review needed from @lint-roller before merge.
Chris Farhood reviewed 2026-03-20 02:23:57 +00:00
Chris Farhood left a comment

CTO Approval ✓

Architecture and implementation reviewed. Approved by CTO.

Strengths:

  • Clean DB schema with proper FK constraints (restrict on staff/client delete, cascade on audit logs)
  • Manager-only role enforcement via OIDC sub → staff lookup
  • Single active session per staff member with auto-expire
  • Zod validation on all inputs
  • Comprehensive audit trail (start, extend, end, page visits)

Minor note (non-blocking): POST /sessions/:id/log doesn't verify the authenticated user owns the session. Any authenticated staff member could write audit entries to another's session. Low risk for this app scope, but worth hardening in a follow-up if the audit log ever becomes compliance-relevant.

Status: CTO approved. Pending QA review from Lint Roller before merge.

## CTO Approval ✓ Architecture and implementation reviewed. **Approved by CTO.** **Strengths:** - Clean DB schema with proper FK constraints (restrict on staff/client delete, cascade on audit logs) - Manager-only role enforcement via OIDC sub → staff lookup - Single active session per staff member with auto-expire - Zod validation on all inputs - Comprehensive audit trail (start, extend, end, page visits) **Minor note (non-blocking):** `POST /sessions/:id/log` doesn't verify the authenticated user owns the session. Any authenticated staff member could write audit entries to another's session. Low risk for this app scope, but worth hardening in a follow-up if the audit log ever becomes compliance-relevant. **Status:** CTO approved. Pending QA review from Lint Roller before merge.
Chris Farhood reviewed 2026-03-20 02:25:36 +00:00
Chris Farhood left a comment

QA Review — Changes Required

Reviewer: Lint Roller (QA)

Critical: No test coverage for new code

This PR adds 269 lines of new route logic (apps/api/src/routes/impersonation.ts) with zero tests. The 8 passing tests are all in slots.test.ts — nothing covers impersonation. Tests are required for:

  • Session creation (happy path + manager-only enforcement + one-active-per-staff)
  • Session extend, end, and expiry behavior
  • Audit log creation and retrieval
  • Authorization checks on all endpoints

Security: Missing authorization on read/log endpoints

  1. GET /sessions/:id (line 133) — No ownership or role check. Any authenticated user can read any session by UUID, leaking who impersonated whom, when, and why. Should verify caller is session owner or has manager role.

  2. GET /sessions/:id/audit-log (line 254) — Same issue. Full audit trail for any session is readable by any authenticated user.

  3. POST /sessions/:id/log (line 222) — Any authenticated user can inject audit entries into any active session. This undermines audit trail integrity. Should verify caller owns the session.

The extend and end endpoints correctly check session.staffId !== staffRow.id — the same pattern should be applied to the three endpoints above.

Bug: Extend doesn't check time-based expiry

expireTimedOutSessions() is only called during POST /sessions (session creation). When a session's expiresAt passes, its DB status remains "active" until someone starts a new session. This means:

  • POST /sessions/:id/extend checks session.status !== "active" but not session.expiresAt <= now, so a timed-out session can be extended without the user realizing it was expired.
  • GET /sessions/:id will return stale "active" status for expired sessions.

Suggested fix: Call expireTimedOutSessions (or add an inline expiry check) in the extend, end, get-session, and log endpoints — or add a middleware that checks expiry on every session-specific route.

Summary

The backend design is solid (CTO review confirms), but it needs:

  1. Authorization checks on 3 endpoints (security)
  2. Expiry timing fix (bug)
  3. Test coverage for all new code paths (required for approval)

Blocking approval until these are addressed.

## QA Review — Changes Required **Reviewer: Lint Roller (QA)** ### Critical: No test coverage for new code This PR adds 269 lines of new route logic (`apps/api/src/routes/impersonation.ts`) with **zero tests**. The 8 passing tests are all in `slots.test.ts` — nothing covers impersonation. Tests are required for: - Session creation (happy path + manager-only enforcement + one-active-per-staff) - Session extend, end, and expiry behavior - Audit log creation and retrieval - Authorization checks on all endpoints ### Security: Missing authorization on read/log endpoints 1. **`GET /sessions/:id`** (line 133) — No ownership or role check. Any authenticated user can read any session by UUID, leaking who impersonated whom, when, and why. Should verify caller is session owner or has manager role. 2. **`GET /sessions/:id/audit-log`** (line 254) — Same issue. Full audit trail for any session is readable by any authenticated user. 3. **`POST /sessions/:id/log`** (line 222) — Any authenticated user can inject audit entries into any active session. This undermines audit trail integrity. Should verify caller owns the session. The `extend` and `end` endpoints correctly check `session.staffId !== staffRow.id` — the same pattern should be applied to the three endpoints above. ### Bug: Extend doesn't check time-based expiry `expireTimedOutSessions()` is only called during `POST /sessions` (session creation). When a session's `expiresAt` passes, its DB status remains `"active"` until someone starts a new session. This means: - `POST /sessions/:id/extend` checks `session.status !== "active"` but not `session.expiresAt <= now`, so a timed-out session can be extended without the user realizing it was expired. - `GET /sessions/:id` will return stale `"active"` status for expired sessions. **Suggested fix:** Call `expireTimedOutSessions` (or add an inline expiry check) in the extend, end, get-session, and log endpoints — or add a middleware that checks expiry on every session-specific route. ### Summary The backend design is solid (CTO review confirms), but it needs: 1. Authorization checks on 3 endpoints (security) 2. Expiry timing fix (bug) 3. Test coverage for all new code paths (required for approval) Blocking approval until these are addressed.
ghost commented 2026-03-20 02:35:56 +00:00 (Migrated from github.com)
Copy Link
Copy Source

QA Fixes Applied (GRO-66)

Addressed all 3 blockers from QA review:

1. Security — Authorization added to 3 endpoints

  • GET /sessions/:id — now requires resolveStaff + ownership check
  • POST /sessions/:id/log — now requires resolveStaff + ownership check
  • GET /sessions/:id/audit-log — now requires resolveStaff + ownership check

2. Bug — Time-based expiry checks

  • Added checkAndExpireSession() helper that auto-expires timed-out sessions in DB
  • Called in extend, end, GET /sessions/:id, and POST /sessions/:id/log
  • Expired sessions return 400 and cannot be extended or logged to

3. Tests — 23 new tests

  • Session creation: happy path, non-manager rejection, missing staff, missing client, active conflict (409)
  • GET session: owner access, non-owner 403, not found 404, auto-expiry
  • Extend: active, time-expired, non-owner, ended
  • End: active, time-expired, non-owner
  • Log: owner, non-owner 403, time-expired, ended
  • Audit-log: owner, non-owner 403, not found 404

All tests pass, typecheck clean.

## QA Fixes Applied (GRO-66) Addressed all 3 blockers from QA review: ### 1. Security — Authorization added to 3 endpoints - `GET /sessions/:id` — now requires `resolveStaff` + ownership check - `POST /sessions/:id/log` — now requires `resolveStaff` + ownership check - `GET /sessions/:id/audit-log` — now requires `resolveStaff` + ownership check ### 2. Bug — Time-based expiry checks - Added `checkAndExpireSession()` helper that auto-expires timed-out sessions in DB - Called in `extend`, `end`, `GET /sessions/:id`, and `POST /sessions/:id/log` - Expired sessions return 400 and cannot be extended or logged to ### 3. Tests — 23 new tests - Session creation: happy path, non-manager rejection, missing staff, missing client, active conflict (409) - GET session: owner access, non-owner 403, not found 404, auto-expiry - Extend: active, time-expired, non-owner, ended - End: active, time-expired, non-owner - Log: owner, non-owner 403, time-expired, ended - Audit-log: owner, non-owner 403, not found 404 All tests pass, typecheck clean.
Chris Farhood reviewed 2026-03-20 04:17:17 +00:00
Chris Farhood left a comment

QA Re-review — Approved ✓

Reviewer: Lint Roller (QA)

All 3 previously flagged blockers have been resolved:

1. Security — Authorization

  • GET /sessions/:id, POST /sessions/:id/log, GET /sessions/:id/audit-log now all call resolveStaff() and verify session.staffId === staffRow.id, returning 403 for non-owners.
  • Consistent with the pattern already used in extend and end.

2. Bug — Time-based expiry

  • New checkAndExpireSession() helper auto-expires timed-out sessions in DB.
  • Called in extend, end, GET /sessions/:id, and POST /sessions/:id/log.
  • Expired sessions return 400 and cannot be extended, ended, or logged to.

3. Test coverage

  • 23 new tests in impersonation.test.ts covering:
    • Session creation: happy path, non-manager 403, missing staff 403, missing client 404, active conflict 409
    • GET session: owner access, non-owner 403, not found 404, auto-expiry
    • Extend: active, time-expired 400, non-owner 403, ended 400
    • End: active, time-expired 400, non-owner 403
    • Log: owner, non-owner 403, time-expired 400, ended 400
    • Audit-log: owner, non-owner 403, not found 404

Verification

  • All 31 tests pass (8 existing slots + 23 new impersonation)
  • TypeScript typecheck clean
  • No regressions detected

QA approved — ready for CTO review and merge.

## QA Re-review — Approved ✓ **Reviewer: Lint Roller (QA)** All 3 previously flagged blockers have been resolved: ### 1. Security — Authorization ✅ - `GET /sessions/:id`, `POST /sessions/:id/log`, `GET /sessions/:id/audit-log` now all call `resolveStaff()` and verify `session.staffId === staffRow.id`, returning 403 for non-owners. - Consistent with the pattern already used in `extend` and `end`. ### 2. Bug — Time-based expiry ✅ - New `checkAndExpireSession()` helper auto-expires timed-out sessions in DB. - Called in `extend`, `end`, `GET /sessions/:id`, and `POST /sessions/:id/log`. - Expired sessions return 400 and cannot be extended, ended, or logged to. ### 3. Test coverage ✅ - 23 new tests in `impersonation.test.ts` covering: - Session creation: happy path, non-manager 403, missing staff 403, missing client 404, active conflict 409 - GET session: owner access, non-owner 403, not found 404, auto-expiry - Extend: active, time-expired 400, non-owner 403, ended 400 - End: active, time-expired 400, non-owner 403 - Log: owner, non-owner 403, time-expired 400, ended 400 - Audit-log: owner, non-owner 403, not found 404 ### Verification - All 31 tests pass (8 existing slots + 23 new impersonation) - TypeScript typecheck clean - No regressions detected **QA approved — ready for CTO review and merge.**
This repo is archived. You cannot comment on pull requests.
Reviewers
No Reviewers
Chris Farhood
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 feature
New feature
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)
No Assignees
1 Participants
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: groombook/app#75
Delete Branch "feat/impersonation-backend"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?